Wednesday, January 1, 2020

Today's project (setting up a knockd lab for CTF training) isn't improving my opinion of Ubuntu packaging much. This isn't the first time in the past week that I've run across munged packages and old code.

The scenario for the lab is that rubber hose cryptography was employed against an evil hacker and produced the following:

  • the hacker's handle
  • his workstation password
  • a sequence numbers = 2222, 3333, 4444
  • and that an encryption key will be available on a certain port

The student will be tasked with finding the hidden server in the hacker's private network, figuring out how to open the port on the server, and obtaining the key from the open port. The unstated facts include that only nmap and netcat are available on the hacker's workstation.

In the first 30 minutes, I was able to design a Docker container that runs supervisord, knockd, socat, and an internal (to the container) version of iptables. In the subsequent hour, I'd tried various things to get knockd to properly run the close-port command. Even the configuration examples provided by the original authors didn't work. The "iptables -D" commands would work on the command line but not when called by knockd.

To make the story short, if you're using the Ubuntu knockd package, the close command will need to be wrapped in "bash -c 'the command'" before it'll work properly. I've added "patching" to my to-do list but it's near the bottom (won't be any time soon). At the top of the list is adding this instance to the OVS architecture, which resides behind a Guacamole instance, and adding a dynamic flag calculation for use in CTFd.